[Bro] Bro load with no traffic
Azoff, Justin S
jazoff at illinois.edu
Fri Oct 19 12:18:41 PDT 2018
If you are on 2.5.x and not master, this should still work:
http://mailman.icsi.berkeley.edu/pipermail/bro/2016-November/011010.html
I wouldn't bother using it on a production system though.
—
Justin Azoff
> On Oct 19, 2018, at 3:13 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>
> Thanks Jon, makes sense now.
> I will see if we would want to deep dive into finding out what exactly causing the load. :)
>
> Fatema.
>
> On Thu, Oct 18, 2018 at 6:26 PM Jon Siwek <jsiwek at corelight.com> wrote:
> On Thu, Oct 18, 2018 at 10:01 AM fatema bannatwala
> <fatema.bannatwala at gmail.com> wrote:
> >
> > Does anyone know why Bro would be using resources when no traffic flowing to the sensor?
>
> Currently, Bro's main loop never completely idles in absence of input,
> so something on the order of 5% cpu usage in absence of network
> traffic might still be "normal". Also note that that packets aren't
> the only input source. As an example, if you shut off traffic
> suddenly, but had a large backlog of Broker messages or continues to
> send/recv remote messages, that could be processing resources that Bro
> continues to use for some time. The event engine also continues on
> with any scheduled events, etc.
>
> So not particularly unexpected to hear there's some load in absence of
> packets, but hard to say specifically what causes the load in this
> case -- you may need to profile/trace if you're really interested.
>
> - Jon
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list